1BO4r2U

Recommendations

Info

33 34 Web Application Penetration Testing Web Application Penetration Testing Reverse-IP services Reverse-IP services are similar to DNS inverse queries, with the difference that the testers query a web-based application instead of a name server. There are a number of such services available. Since they tend to return partial (and often different) results, it is better to use multiple services to obtain a more comprehensive analysis. Domain tools reverse IP: http:/www.domaintools.com/reverse-ip/ (requires free membership) MSN search: http: /search.msn.com syntax: “ip:x.x.x.x” (without the quotes) Webhosting info: http: /whois.webhosting.info/ syntax: http: / whois.webhosting.info/x.x.x.x DNSstuff: http: /www.dnsstuff.com/ (multiple services available) http: /www.net-square.com/mspawn.html (multiple queries on domains and IP addresses, requires installation) tomDNS: http: /www.tomdns.net/index.php (some services are still private at the time of writing) SEOlogs.com: http: /www.seologs.com/ip-domains.html (reverse-IP/domain lookup) The following example shows the result of a query to one of the above reverse-IP services to 216.48.3.18, the IP address of www.owasp.org. Three additional non-obvious symbolic names mapping to the same address have been revealed. Gray Box Testing Not applicable. The methodology remains the same as listed in Black Box testing no matter how much information the tester starts with. Tools • DNS lookup tools such as nslookup, dig and similar. • Search engines (Google, Bing and other major search engines). • Specialized DNS-related web-based search service: see text. • Nmap - http:/www.insecure.org • Nessus Vulnerability Scanner - http:/www.nessus.org • Nikto - http:/www.cirt.net/nikto2 References Whitepapers [1] RFC 2616 – Hypertext Transfer Protocol – HTTP 1.1 Review webpage comments and metadata for information leakage (OTG-INFO-005) Summary It is very common, and even recommended, for programmers to include detailed comments and metadata on their source code. However, comments and metadata included into the HTML code might reveal internal information that should not be available to potential attackers. Comments and metadata review should be done in order to determine if any information is being leaked. Test Objectives Review webpage comments and metadata to better understand the application and to find any information leakage. How to Test HTML comments are often used by the developers to include debugging information about the application. Sometimes they forget about the comments and they leave them on in production. Testers should look for HTML comments which start with “”. Black Box Testing Check HTML source code for comments containing sensitive information that can help the attacker gain more insight about the application. It might be SQL code, usernames and passwords, internal IP addresses, or debugging information. Check HTML version information for valid version numbers and Data Type Definition (DTD) URLs • “strict.dtd” -- default strict DTD • “loose.dtd” -- loose DTD • “frameset.dtd” -- DTD for frameset documents Some Meta tags do not provide active attack vectors but instead allow an attacker to profile an application to Some Meta tags alter HTTP response headers, such as http-equiv that sets an HTTP response header based on the the content attribute of a meta element, such as: which will result in the HTTP header: and Expires: Fri, 21 Dec 2012 12:34:56 GMT will result in Cache-Control: no-cache will advise robots to not index and not follow links on the HTML page containing the tag. The Platform for Internet Content Selection (PICS) and Protocol for Web Description Resources (POWDER) provide infrastructure for associating meta data with Internet content. Gray Box Testing Not applicable. Tools • Wget • Browser “view source” function • Eyeballs • Curl References Whitepapers [1] http:/www.w3.org/TR/1999/REC-html401-19991224 HTML version 4.01 [2] http:/www.w3.org/TR/2010/REC-xhtml-basic-20101123/ XHT- ML (for small devices) [3] http:/www.w3.org/TR/html5/ HTML version 5 Identify application entry points (OTG-INFO-006) Summary Enumerating the application and its attack surface is a key precursor before any thorough testing can be undertaken, as it allows the tester to identify likely areas of weakness. This section aims to help identify and map out areas within the application that should be investigated once enumeration and mapping have been completed. Test Objectives Understand how requests are formed and typical responses from the application Googling Following information gathering from the previous techniques, testers can rely on search engines to possibly refine and increment their analysis. This may yield evidence of additional symbolic names belonging to the target, or applications accessible via non-obvious URLs. For instance, considering the previous example regarding www. owasp.org, the tester could query Google and other search engines looking for information (hence, DNS names) related to the newly discovered domains of webgoat.org, webscarab.com, and webscarab. net. Googling techniques are explained in Testing: Spiders, Robots, and Crawlers. ... 1Mary 2Peter 3Joe ... The tester may even find something like this: Test to see if this can be used to conduct injection attacks (e.g. CRLF attack). It can also help determine the level of data leakage via the browser cache. A common (but not WCAG compliant) Meta tag is the refresh. A common use for Meta tag is to specify keywords that a search engine may use to improve the quality of search results. Although most web servers manage search engine indexing via the robots.txt file, it can also be managed by Meta tags. The tag below How to Test Before any testing begins, the tester should always get a good understanding of the application and how the user and browser communicates with it. As the tester walks through the application, they should pay special attention to all HTTP requests (GET and POST Methods, also known as Verbs), as well as every parameter and form field that is passed to the application. In addition, they should pay attention to when GET requests are used and when POST requests are used to pass parameters to the application. It is very common that GET requests are used, but when sensitive information is passed, it is often done within the body of a POST request. Note that to see the parameters sent in a POST request, the tester will need to use a tool such as an intercepting proxy (for example, OWASP: Zed Attack Proxy (ZAP)) or a browser plug-in. Within the POST request, the tester should also make special note of any hidden form fields that are being passed to the application, as these usually contain sensitive information, such as state information, quantity of items, the price of items, that the developer never intended for you to see or change.
35 36 Web Application Penetration Testing Web Application Penetration Testing In the author’s experience, it has been very useful to use an intercepting proxy and a spreadsheet for this stage of the testing. The proxy will keep track of every request and response between the tester and the application as they u walk through it. Additionally, at this point, testers usually trap every request and response so that they can see exactly every header, parameter, etc. that is being passed to the application and what is being returned. This can be quite tedious at times, especially on large interactive sites (think of a banking application). However, experience will show what to look for and this phase can be significantly reduced. As the tester walks through the application, they should take note of any interesting parameters in the URL, custom headers, or body of the requests/responses, and save them in a spreadsheet. The spreadsheet should include the page requested (it might be good to also add the request number from the proxy, for future reference), the interesting parameters, the type of request (POST/GET), if access is authenticated/unauthenticated, if SSL is used, if it’s part of a multi-step process, and any other relevant notes. Once they have every area of the application mapped out, then they can go through the application and test each of the areas that they have identified and make notes for what worked and what didn’t work. The rest of this guide will identify how to test each of these areas of interest, but this section must be undertaken before any of the actual testing can commence. Below are some points of interests for all requests and responses. Within the requests section, focus on the GET and POST methods, as these appear the majority of the requests. Note that other methods, such as PUT and DELETE, can be used. Often, these more rare requests, if allowed, can expose vulnerabilities. There is a special section in this guide dedicated for testing these HTTP methods. Requests: • Identify where GETs are used and where POSTs are used. • Identify all parameters used in a POST request (these are in the body of the request). • Within the POST request, pay special attention to any hidden parameters. When a POST is sent all the form fields (including hidden parameters) will be sent in the body of the HTTP message to the application. These typically aren’t seen unless a proxy or view the HTML source code is used. In addition, the next page shown, its data, and the level of access can all be different depending on the value of the hidden parameter(s). • Identify all parameters used in a GET request (i.e., URL), in particular the query string (usually after a ? mark). • Identify all the parameters of the query string. These usually are in a pair format, such as foo=bar. Also note that many parameters can be in one query string such as separated by a &, ~, :, or any other special character or encoding. • A special note when it comes to identifying multiple parameters in one string or within a POST request is that some or all of the parameters will be needed to execute the attacks. The tester needs to identify all of the parameters (even if encoded or encrypted) and identify which ones are processed by the application. Later sections of the guide will identify how to test these parameters. At this point, just make sure each one of them is identified. • Also pay attention to any additional or custom type headers not typically seen (such as debug=False). Responses: • Identify where new cookies are set (Set-Cookie header), modified, or added to. • Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests). • Also note where any interesting headers are used. For example, “Server: BIG-IP” indicates that the site is load balanced. Thus, if a site is load balanced and one server is incorrectly configured, then the tester might have to make multiple requests to access the vulnerable server, depending on the type of load balancing used. Black Box Testing Testing for application entry points: The following are two examples on how to check for application entry points. EXAMPLE 1 This example shows a GET request that would purchase an item from an online shopping application. GET https:/x.x.x.x/shoppingApp/buyme.asp?CUSTOME- RID=100&ITEM=z101a&PRICE=62.50&IP=x.x.x.x Host: x.x.x.x Cookie: SESSIONID=Z29vZCBqb2IgcGFkYXdhIG15IHVzZXJuY- W1lIGlzIGZvbyBhbmQgcGFzc3dvcmQgaXMgYmFy Result Expected: Here the tester would note all the parameters of the request such as CUSTOMERID, ITEM, PRICE, IP, and the Cookie (which could just be encoded parameters or used for session state). EXAMPLE 2 This example shows a POST request that would log you into an application. POST https:/x.x.x.x/KevinNotSoGoodApp/authenticate.asp?- service=login Host: x.x.x.x Cookie: SESSIONID=dGhpcyBpcyBhIGJhZCBhcHAgdGhhdCB- zZXRzIHByZWRpY3RhYmxlIGNvb2tpZXMgYW5kIG1pbmUgaX- MgMTIzNA== CustomCookie=00my00trusted00ip00is00x.x.x.x00 Body of the POST message: user=admin&pass=pass123&debug=true&fromtrustIP=true Result Expected: In this example the tester would note all the parameters as they have before but notice that the parameters are passed in the body of the message and not in the URL. Additionally, note that there is a custom cookie that is being used. Gray Box Testing Testing for application entry points via a Gray Box methodology would consist of everything already identified above with one addition. In cases where there are external sources from which the application receives data and processes it (such as SNMP traps, syslog messages, SMTP, or SOAP messages from other servers) a meeting with the application developers could identify any functions that would accept or expect user input and how they are formatted. For example, the developer could help in understanding how to formulate a correct SOAP request that the application would accept and where the web service resides (if the web service or any other function hasn’t already been identified during the black box testing). Tools Intercepting Proxy: • OWASP: Zed Attack Proxy (ZAP) • OWASP: WebScarab • Burp Suite • CAT Browser Plug-in: • TamperIE for Internet Explorer • Tamper Data for Firefox References Whitepapers • RFC 2616 – Hypertext Transfer Protocol – HTTP 1.1 - http:/tools.ietf.org/html/rfc2616 Map execution paths through application (OTG-INFO-007) Summary Before commencing security testing, understanding the structure of the application is paramount. Without a thorough understanding of the layout of the application, it is unlkely that it will be tested thoroughly. Test Objectives Map the target application and understand the principal workflows. How to Test In black box testing it is extremely difficult to test the entire code base. Not just because the tester has no view of the code paths through the application, but even if they did, to test all code paths would be very time consuming. One way to reconcile this is to document what code paths were discovered and tested. There are several ways to approach the testing and measurement of code coverage: • Path - test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. While this approach offers thoroughness, the number of testable paths grows exponentially with each decision branch. • Data flow (or taint analysis) - tests the assignment of variables via external interaction (normally users). Focuses on mapping the flow, transformation and use of data throughout an application. • Race - tests multiple concurrent instances of the application manipulating the same data. The trade off as to what method is used and to what degree each method is used should be negotiated with the application owner. Simpler approaches could also be adopted, including asking the application owner what functions or code sections they are particularly concerned about and how those code segments can be reached. Black Box Testing To demonstrate code coverage to the application owner, the tester can start with a spreadsheet and document all the links discovered by spidering the application (either manually or automatically). Then the tester can look more closely at decision points in the application and investigate how many significant code paths are discovered. These should then be documented in the spreadsheet with URLs, prose and screenshot descriptions of the paths discovered. Gray/White Box testing Ensuring sufficient code coverage for the application owner is far easier with the gray and white box approach to testing. Information solicited by and provided to the tester will ensure the minimum requirements for code coverage are met. Example Automatic Spidering The automatic spider is a tool used to automatically discover new resources (URLs) on a particular website. It begins with a list of URLs to visit, called the seeds, which depends on how the Spider is started. While there are a lot of Spidering tools, the following example uses the Zed Attack Proxy (ZAP): ZAP offers the following automatic spidering features, which can be selected based on the tester’s needs: • Spider Site - The seed list contains all the existing URIs already found for the selected site. • Spider Subtree - The seed list contains all the existing URIs already found and present in the subtree of the selected node. • Spider URL - The seed list contains only the URI corresponding to the selected node (in the Site Tree). • Spider all in Scope - The seed list contains all the URIs the user has selected as being ‘In Scope’. Tools • Zed Attack Proxy (ZAP)
Page 1 and 2: 1 2 THE ICONS BELOW REPRESENT WHAT
Page 3 and 4: 3 4 Testing Guide Frontispiece Test
Page 5 and 6: 7 8 Testing Guide Introduction Test
Page 7 and 8: 11 12 Testing Guide Introduction Te
Page 9 and 10: 15 16 Testing Guide Introduction Te
Page 11 and 12: 19 20 Testing Guide Introduction of
Page 13 and 14: 23 24 Web Application Penetration T
Page 17: 31 32 Web Application Penetration T
Page 51 and 52: 99 100 Web Application Penetration
Page 69 and 70:
135 136 Web Application Penetration
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
211 212 Reporting Appendix Test ID
Page 109 and 110:
215 216 Appendix Appendix Testing -
Page 111:
219 220 LDAP Injection For details
show all

1BO4r2U

Create successful ePaper yourself

Delete template?

Save as template?